Issues getting LAN to talk through Wan on 2.0



  • Man…... I tried... I looked high and low... and I am certain it is probably staring me in the face... but I've spent 6 hours on this now... and my brain is mush.

    I am a long time user of pfsense however this 2.0 seems to have thrown me a curve ball.  I don't do curve balls very well.   :-\

    I have set up a new 2.0 system and have 1 wan, 1 lan and 1 opt (maintenance network).  Everything communicates regarding the opt network and the lan network internally and up to the pfsense box... that is.. I can get to and manage the pfsense box without issue.  I can ping the wan address from the internet and I can ping internet addresses from the pfsense's diagnostic ping command and from the command line.  I can not however ping anything from within the lan network (don't care to regarding the opt 'maintenance' network) to the internet.  Not trying to do anything fancy here at this time other than set up a very basic firewall/router.  There is no DHCP requirement and none used.  My assumption is that I am missing a rule which needs to be configured to 'tie' the LAN to the WAN but for the life of me I can't figure it out.  Aside from general NAT rules, i.e. 0.0.0.0/0 to gateway address or something to that effect tho pretty certain that's what the 'default' to gateway address is suppose to be doing, to accommodate outside access to inside services (which also are not reachable), the setting up of the wan, lan, and opt interfaces, everything else is pretty much as it comes out of the box... here is the basic configuration:

    WAN:

    IP address     173.xxx.xxx.187  / 28
    Gateway    173.xxx.xxx.190

    LAN:

    IP address       192.168.40.1 / 24
    Gateway      None  ( I assume it would be the only wan port and would be handled by pfsense)

    Firewall: NAT: Outbound

    AON checked

    Interface     Source              Source Port     Destination     Destination Port     NAT Address     NAT Port     Static Port     Description

    WAN      192.168.40.0/24      *                    *                    *                    *                    *            NO

    Firewall: NAT: Port Forwarding

    If     Proto     Src. addr     Src. ports        Dest. addr     Dest. ports     NAT IP             NAT Ports       Description

    WAN    TCP                  *    80 (HTTP)       LAN address    80 (HTTP)            192.168.40.108    80 (HTTP)            HTTP - Web01    
    WAN    TCP                  *    443 (HTTPS)  LAN address    443 (HTTPS)    192.168.40.108    443 (HTTPS)    HTTPS - Web01    
    WAN    TCP                  *    25 (SMTP)       LAN address    25 (SMTP)            192.168.40.113    25 (SMTP)            SMTP - Antispam1    
    WAN    TCP                  *    53 (DNS)       LAN address    53 (DNS)            192.168.40.2    53 (DNS)            DNS - NS1    
    WAN    TCP                  *    110 (POP3)    LAN address    110 (POP3)    192.168.40.109    110 (POP3)    POP3 - IMail Server    
    WAN    TCP                  *    10989       LAN address    10989            192.168.40.109    10989            RD - IMail

    System: Gateways:

    Name                      Interface     Gateway              Monitor IP     Description

    WAN (default)            WAN            173.xxx.xxx.190    173.xxx.xxx.190 (another live subnet at another location... not same IP as gateway)

    Diagnostics: Routing Tables

    Destination              Gateway            Flags    Refs    Use            Mtu        Netif    Expire
    default              173.165.40.190    UGS    2    11263    1500        le0    
    127.0.0.1              link#7            UH    0    19            16384    lo0    
    127.0.0.2              127.0.0.1            UHS    0    0            16384    lo0    
    173.xxx.xxx.190     173.xxx.xxx.190    UGHS 4    8608            1500        le0     (monitor address to similar net but not same)
    173.xxx.xxx.176/28 link#1            U    3    15305    1500     le0    
    173.xxx.xxx.187      link#1            UHS    0    0            16384    lo0    
    192.168.40.0/24      link#3            U    0    481            1500        le2    
    192.168.40.1      link#3            UHS    0    1038            16384    lo0    
    192.168.70.0/24    link#2            U    2    9851            1500        le1    
    192.168.70.42      link#2            UHS    0    0            16384    lo0

    As I indicated... I CAN ping the wan interface from the outside.  I can also ping internet addresses from pfsense itself so I know there is a physical path.  LAN can get to pfsense box and manage through the WebGUI with no issues.  DNS is working as I can ping by domain name from the pfsense environment.  It should also be noted that I can reach the webGUI from the internet without issue.  I just can't reach anything that is port forwarded to the internal LAN or from the LAN, reach anything out on the internet.

    Please.... somebody put me out of my misery.    ???

    I appreciate any assistance provided.



  • I notice a number of reads on this thread however no suggestions.  It really can't be that tough can it?

    Do I need to create a 'gateway' group even if only one gateway exists?  As I am not looking to load balance at this time or setup multi-home connections I wouldn't have thought it necessary but perhaps it is.  If I can get a confirmation one way or the other that will help to narrow it down.

    Thanks



  • It should be noted that in the firewall logs I can see the attempts to ping from an internal IP to the wan gateway IP.  I click on the 'easy rule: pass this traffic' enters the rule however doesn't make any difference.  Still is not passing traffic from the wan interface to the upstream gateway.



  • Your NAT entries are wrong, read the note there for source port - "This is usually random and almost never equal to the destination port range (and should usually be "any"). "



  • And the destination address is wrong, that will be the WAN IP.



  • You know… sometimes you just can't see the forest for the trees... thank you cmb... you are a tonic for my befuddled brain...  :-\  that worked as far as getting from the outside in... I still however am not getting from the inside out.  No pinging, no data access to the internet.  Anything strike you as goofy regarding my configuration?

    As near as I can figure it.... I am able to ping the wan interface from the any lan device.  I can also remote from internet based devices into the webGUI of pfsense so I know I'm getting to the wan from the outside.  I can also ping the wan interface from the outside and now I can access redirected ports from the outside to the lan.  The only thing I can not do is ping the gateway  from the lan nor access any service from the lan to the internet.

    I went through the setup wizard and all settings are correct and complete.  The only thing that I am unsure about is the wan gateway configuration.  I certainly have the IP of the next router up the chain (This would be the modem/router of our provider) but we seem to be missing that 'link' between the wan and that gateway for outbound connectivity.

    The wan IP is xxx.xxx.xxx.187 with the gateway being xxx.xxx.xxx.190 on a /28 subnet.  The 'monitor' IP is that of another one of our facilities and that ip is being reached by the monitor and pfsense is reporting the wan 'up'.

    Pretty confused at this point.



  • Since the firewall has access, and the hosts behind it can get to the WAN, that narrows it down to almost certainly one of two things:

    1. LAN rules are wrong (not the case if you have the default LAN rule)
    2. Outbound NAT is wrong (not the case if you're using automatic outbound NAT)


  • I checked the outbound nat rules… I never entered any so the only rule at hand is the default.  It was however set to manual outbound NAT rule generation (as shown in the first post above) and I changed that to Automatic outbound NAT rule generation and then rebooted the system and..... hold on... it's comin up.... darn near there.... hot damn!!! It's workin.

    Thanks a bunch cmb.  I really appreciate your assistance.  What I have set up is a partial virtual environment making a half dozen of our physical servers all virtual with a virtual pfsense on the same power server.  I will continue to work with and test this until such time 2.0 is released for live use and will report any issues that may arise.

    For anyone interested I'm using vmware's ESXi 4.1 on a dual xeon MT 3.4ghz 8gb server and thus far... I'm pretty darned tickled.

    Thanks again cmb.


Log in to reply